Skip to content
Orchestration · 10 surfaces

Right capability. Right surface.
Zero misdirected scans.

The dispatch model that turns a broad capability toolbox into a focused platform. Each capability gets pointed at the surface it was built for — never blasted at every asset by accident.

See dispatch live All platform capabilities
Why this matters

A scanner pointed at the wrong surface is worse than nothing.

Running a web DAST against a TLS-only network endpoint produces noise. Running a container scanner against a serverless function produces irrelevant findings. Running a SAST tool against a binary blob produces nothing. Every misdirected scan is cost without signal — and is the single most common cause of "the tool is too noisy" complaints.

Surface-aware orchestration solves it by inverting the dispatch model: instead of asking "which scanners should I run?" the platform asks "which scanners fit this surface?" — and only those run.

Capability matrix

10 surfaces · explicit per-surface capability stack.

no auto-fallback · no blast-all
  • Web
    Active scanning DAST Tech fingerprint Content discovery Parameter discovery
  • API
    Schema-aware probing OpenAPI drift Auth-flow testing Stateful fuzzing
  • Network
    Port + service map TLS posture Edge scan DNS posture
  • Cloud
    Misconfig audit IAM walk Resource posture Cross-account discovery
  • Code
    SAST Secrets detection Dependency posture IaC posture SBOM generation
  • Container
    Image CVE scan Runtime drift Admission policy Hardening benchmark
  • Identity
    IAM relationship walks Credential leak monitoring OAuth grant audit NHI discovery
  • Mobile
    Binary analysis Runtime posture Package leak detection
  • AI / LLM
    Prompt-injection probing RAG context fuzzing Shadow-AI discovery Model exposure scanning
  • OT / ICS limited
    Industrial protocol fingerprint Exposure check Vendor advisory mapping
Explicit surface-to-capability mapping · auditable and operator-editable custom capability integrations available
Event-driven

Dispatch fires on events, not on the calendar.

Quarterly scan windows are the legacy operating model. Event-driven dispatch fires a targeted scan within minutes of the event that actually changed risk — a git push, a KEV entry, a new certificate, a cloud resource appearing.

The scheduled full sweep still runs, but as a baseline + delta — the platform tells you what changed since last time, not the whole report.

Triggers
  • Git push SAST / secrets / dependency scan on affected service
  • CISA KEV entry Affected-version sweep across in-scope assets
  • CT log New subdomain → first-pass scan within minutes
  • CloudTrail New cloud resource → misconfig + IAM check
  • K8s admission Pod / service spec → policy + image posture
  • Schedule Periodic full sweep — baseline + delta only
Operations

Built for the long-running pipeline operators worry about.

Per-surface concurrency caps

Each capability has a configured concurrency limit, so a noisy run on web cannot starve cloud or identity scans.

Isolation by tenant + queue

Multi-tenant queues prevent one customer's scan storm from affecting another. No noisy-neighbor.

Drain backpressure

When a downstream stage saturates, dispatch slows automatically. Findings queue cleanly rather than dropping.

Automatic worker cleanup

Crashed or hung workers are reaped on a schedule. The dispatch surface stays clean; ghost workers do not accumulate.

Where dispatched scans feed back into
Intelligence
CRPS scoring →

Score what comes back
Validation
Adversarial validation →

Prove what scored high
Framework
CTEM loop →

How orchestration powers the loop

See dispatch route a real event to the right scanners.

We'll fire a synthetic event during the call and watch the dispatch land — end-to-end.

Schedule an orchestration walkthrough